Computer system and method thereof

ABSTRACT

A computer system to which measures against computer virus can be taken with ease, and a method therefor. In a computer network system, a first GW server is assigned an IP address to which a netmask of 24 bits (allowing to perform communication with 256 other nodes at the maximum) is imparted, and is allowed to perform communication with all of client computers. Upon occurrence of an abnormal condition such as viral infection, the client computers are assigned or reassigned IP addresses including a netmask (for example, 30 bits; allowing to perform communication with two other nodes at the maximum) that only allow to perform communication with a security measure server via a second GW server, whereby the client computers are allowed to perform communication only with the security measure server via the second GW server. In this way, the security measures are taken.

RELATED APPLICATIONS

The present application is a National Phase entry of InternationalApplication Number PCT/JP2004/014067, filed Sep. 27, 2004, which isincorporated by reference herein in its entirety.

TECHNICAL FIELD

The present invention relates to a computer system including a computerthat performs communication using an IP address with a netmask, and to amethod thereof.

BACKGROUND ART

At present, as a protocol for communication among computers (in thefollowing description, computers and the like that performcommunication/information processing may be generally referred to as“nodes”), the transmission control protocol/internet protocol (TCP/IP)is generally used. For communication using the TCP/IP, an IP address ofa 32-bit configuration is assigned to each of the nodes.

This IP address includes a network section used for identifying anetwork to which each of the nodes belongs and a host section used foridentifying each of the nodes in the network to which the node belongs.

The network section and the host section of the IP address areidentified by a netmask of a 32-bit configuration. Each of the bits ofthe netmask is 1 when a bit of the IP address corresponding thereto isincluded in the network section and is 0 when the bit of the IP addressis included in the host section (the number of bits being 1 ishereinafter referred to as the number of bits of the netmask).

As a protocol for managing the IP address and assigning the IP addressto each of the nodes, the dynamic host configuration protocol (DHCP) isgenerally used.

Further, in recent years, there is a serious problem that programs(data) spread from computer to computer via a network and adverselyeffects on the computers in various ways to lead leakage of data fromthe computers and the like. Such programs (data) are also calledcomputer viruses or worms.

A computer virus/worm is formed of a program code, a macro of a specificapplication program, and data for execution of the code and the macro,or a combination including one or more of the above. Hereinafter, thecomputer virus/worm is generally referred to as a computer virus or as avirus simply.

For example, Patent Document 1 discloses a method of preventing anillegal access to a DHCP server that provides a DHCP function in anetwork in which the IP address and the DHCP are used.

However, the method disclosed in Patent Document 1 cannot prevent aninfection of a virus from spreading among computers connected to anetwork.

Patent Document 1: JP 2004-228799 A

DISCLOSURE OF THE INVENTION Problems to be Solved by the Invention

The present invention has been made in view of the background describedabove, and it is an object of the present invention to provide acomputer system, which is improved so IP addresses can be used moreflexibly in a network by contriving a method of using netmasks, and amethod thereof.

It is another object of the present invention to provide a computersystem, which is improved so that computers connected to a network canbe provided with various functions by contriving netmasks and a methodof assigning IP addresses with the netmasks, and a method thereof.

It is still another object of the present invention to provide acomputer system capable of easily taking measures against computerviruses, and a method thereof.

Means for Solving the Problems

To attain the above-mentioned objects, a computer system according tothe present invention relates to a computer system, in whichcommunication is performed using a first IP address with a first netmaskhaving a predetermined number of bits and a second IP address with asecond netmask having a number of bits different from that of the firstnetmask. The computer system includes: one or more first nodes forperforming communication using the first IP address or the second IPaddress; one or more second nodes for performing communication using thesecond IP address; and a third node for selectively assigning the firstIP address or the second IP address to the first nodes.

Preferably, the first nodes are network computers for performingcommunication in a network to which the first netmask and the secondnetmask are applied, the second nodes are first gateway servers forperforming communication control among the network computers, and thethird node is a DHCP server for selectively assigning the first IPaddress or the second IP address to the network computers.

Preferably, the computer system further includes a fourth node forperforming communication with the first nodes.

Preferably, the first IP address is an IP address used for communicationbetween each group including one or more of the first nodes and thefourth node, the second IP address is an IP address for communicationbetween arbitrary one of the first nodes and the second nodes, the firstnodes perform communication with the fourth node using the first IPaddress assigned thereto, and the second nodes perform communicationwith the arbitrary one of the first nodes using the second IP addressassigned thereto.

Preferably, the fourth node is a second gateway server for applyingcommunication control for a security measure to the first nodes.

Preferably, in a case where the communication control for the securitymeasure for the first node is performed by the second gateway server,the third node assigns the first IP address with the first netmaskhaving a number of bits smaller than that of the second netmask to thefirst nodes.

Preferably, the computer system further includes a fifth node forperforming communication with the first nodes via the fourth node, andthe first nodes further perform communication with the fifth node viathe fourth node using the first IP address assigned.

Preferably, the fifth node provides the first nodes with a predeterminedfunction via the fourth node.

Preferably, the first nodes request the third node to assign IPaddresses at a predetermined time interval, and the third node assignsthe first IP address or the second IP address to the first nodes forrequesting assignment of IP addresses.

Further, an IP address assigning apparatus according to the presentinvention relates to an IP address assigning apparatus for assigning IPaddresses used for communication in a network to communication nodes forperforming communication in the network and a specific node other thanthe communication nodes. The communication nodes request reassignment ofthe IP addresses at predetermined timing. The IP address assigningapparatus includes: assigning means for assigning a general-purpose IPaddress, which can be used for communication between arbitrary number ofthe communication nodes, to each of the communication nodes; andreassigning means for, in response to requests for reassignment of IPaddresses from the communication nodes, to the communication nodes whichhave requested the reassignment of IP addresses, reassigning a specificIP address used for communication between the specific node and thecommunication nodes in a case where the communication between thespecific node and the communication nodes is performed, and reassigningthe general-purpose IP address in other cases.

Preferably, the reassigning means sequentially reassigns, in response tothe request for reassignment of IP addresses from the communicationnode, the specific IP address to all the communication nodes in a casewhere the communication between the specific nodes and the communicationnodes is performed.

Preferably, the assigning means assigns a general-purpose IP addresswith a general-purpose netmask used for communication between arbitraryone of the communication nodes to each of the communication nodes, andthe reassigning means, in response to requests for reassignment of IPaddresses from the communication nodes, to the communication nodes whichhave requested the reassignment of IP addresses, reassigns the specificIP address with a specific netmask used for communication between thespecific node and the communication nodes in a case where thecommunication between the specific node and the communication nodes isperformed, and reassigns the general-purpose IP address with ageneral-purpose netmask used for the communication between arbitrary oneof the communication nodes in other cases.

Further, a communication method according to the present inventionrelates to a communication method of performing communication in anetwork using a first IP address with a first netmask having apredetermined number of bits and a second IP address with a secondnetmask having a number of bits different from that of the firstnetmask. The network includes first to third nodes each of which beingone or more nodes, each of the first nodes performs communication usingthe first IP address or the second IP address, each of the second nodesperforms communication using the second IP address, and the third nodesselectively assign the first IP address or the second IP address to thefirst nodes.

Preferably, the first IP address is an IP address used for communicationbetween each group including one or more of the first nodes and thefourth node, the second IP address is an IP address for communicationbetween arbitrary one of the first nodes and the second nodes, the firstnodes perform communication with the fourth node using the first IPaddress assigned, and the second nodes perform communication witharbitrary one of the first nodes using the second IP address assigned.

Further, an IP address assigning method of the present invention relatesto an IP address assigning method of assigning IP addresses used incommunication in a network to communication nodes for performingcommunication in the network and a specific node other than thecommunication nodes. The communication nodes request reassignment of theIP addresses at predetermined timing. The IP address assigning methodincludes: assigning a general-purpose IP address used for communicationbetween arbitrary number of the communication nodes to each of thecommunication nodes; and in response to requests for reassignment of IPaddresses from the communication nodes, to the communication nodes whichhave requested the reassignment of IP addresses, reassigning a specificIP address used for communication between the specific node and thecommunication nodes in a case where communication between the specificnode and the communication nodes is performed, and reassigning thegeneral-purpose IP address in other cases.

Further, a first program according to the present invention is a programfor performing communication in a network using a first IP address witha first netmask having a predetermined number of bits and a second IPaddress with a second netmask having a number of bits different fromthat of the first netmask. The network includes first to third nodeseach of which being one or more nodes. The first program causes acomputer to execute the steps of: performing, by each of the firstnodes, communication using the first IP address or the second IPaddress; performing, by each of the second nodes, communication usingthe second IP address; and selectively assigning, by the third nodes,the first IP address or the second IP address to the first nodes.

Preferably, the first IP address is an IP address used for communicationbetween each group including one or more of the first nodes, and thefourth node, the second IP address is an IP address for communicationbetween arbitrary one of the first nodes and the second nodes, the stepof performing communication in each of the first nodes includesperforming communication with the fourth node using the first IP addressassigned, and the step of performing communication in each of the secondnodes includes performing communication with arbitrary one of the firstnodes using the second IP address assigned.

Further, a second program according to the present invention is aprogram for assigning IP addresses used in communication in a network tocommunication nodes for performing communication in the network and aspecific node other than the communication nodes. The communicationnodes request reassignment of the IP addresses at predetermined timing.The second program causes a computer to execute the steps of: assigninga general-purpose IP address used for communication between arbitrarynumber of the communication nodes to each of the communication nodes;and in response to requests for reassignment of IP addresses from thecommunication nodes, to the communication nodes which have requested thereassignment of IP addresses, reassigning a specific IP address used forcommunication between the specific node and the communication nodes in acase where communication between the specific node and the communicationnodes is performed, and reassigning the general-purpose IP address inother cases.

EFFECTS OF THE INVENTION

According to the present invention, there are provided a computer systemthat is improved to be capable of using IP addresses more flexibly in anetwork by contriving a method of using netmasks, and a method thereof.

According to the present invention, there are provided a computer systemthat is improved to be capable of providing computers connected to anetwork with various functions by contriving netmasks and a method ofassigning IP addresses with netmasks, and a method thereof.

According to the present invention, there are provided a computer systemcapable of easily taking measures concerning computer security, and amethod thereof.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a configuration of a computer networksystem according to the present invention.

FIG. 2 is a first diagram illustrating an aspect of communication in thecomputer network system shown in FIG. 1, and specifically an aspect ofnormal communication in a computer network system 1.

FIG. 3 is a second diagram illustrating an aspect of communication inthe computer network system shown in FIG. 1, and specifically an aspectof communication between a second GW and a client.

FIG. 4 is a third diagram illustrating an aspect of communication in thecomputer network system shown in FIG. 1, specifically an aspect ofcommunication during security measure communication.

FIG. 5 is a diagram illustrating hardware configuration of a DHCPserver, a first GW server, a second GW server, a security measureserver, a security check server, a client computer, and the like.

FIG. 6 is a diagram showing a client program which operates in theclient computer shown in FIG. 1.

FIG. 7 is a diagram showing a DHCP server program which operates in theDHCP server shown in FIG. 1.

FIG. 8 is a flowchart showing processing (S10) by the DHCP serverprogram shown in FIG. 7.

FIG. 9 is a diagram showing a GW server program which operates in thesecond GW server shown in FIG. 1.

FIG. 10 is a diagram showing an anti-virus program 40 which operates inthe anti-virus server shown in FIG. 1.

FIG. 11 is a communication sequence diagram showing an operation (S12)during the normal communication (FIG. 2) in the computer network systemshown in FIG. 1.

FIG. 12 is a communication sequence diagram showing an operation (S14)at the start of anti-virus communication (FIG. 4) in the computernetwork system shown in FIG. 1.

FIG. 13 is a communication sequence diagram showing an operation (S18)at the completion of the anti-virus communication (FIG. 4) in thecomputer network system shown in FIG. 1.

FIG. 14 is a communication sequence diagram showing an operation (S18)at the completion of the security measure communication (FIG. 4) in thecomputer network system shown in FIG. 1.

BEST MODE FOR CARRYING OUT THE INVENTION

Embodiments of the present invention will be hereinafter explained.

(Computer Network System 1)

FIG. 1 is a diagram illustrating a configuration of a computer networksystem 1 according to the present invention.

As shown in FIG. 1, in the computer network system 1, client computers10-1 to 10-n (a first node: n is an integer equal to or larger than 1),a DHCP server 2 (a third node), and a security check server 5 areconnected so as to be capable of communicating with each other via afirst network 100 such as a LAN or a WAN.

A security measure server 4 (a fifth node) and another specific node 18such as a domain name server (DNS) are connected so as to be capable ofcommunicating with each other via a second network 102 similar to thenetwork 100.

Further, the networks 100 and 102 are connected so as to be capable ofcommunicating with each other via a general first gateway server (asecond node; a first GW server) 28 and second gateway server 3 (a fourthnode; a second GW server 3 (described later with reference to FIG. 9 andthe like)) that perform processing such as protocol conversion betweenthe networks.

The networks 100 and 102 may be further connected to other networksystems such as other LANs, WANs, and the Internet.

The computer network system 1 can take various configurations such as aconfiguration in which the DHCP server 2, the first GW server 28, andthe security check server 5 are integrally configured.

When a plurality of components such as the client computers 10-1 to 10-nare shown without specifying any one of the components, the clientcomputers are simply described as the client computers 10 below.

In the respective figures, same components are denoted by the samereference symbols.

FIGS. 2 to 4 are first to third diagrams illustrating aspects ofcommunication in the computer network system 1 shown in FIG. 1,respectively. FIG. 2 shows an aspect of normal communication in thecomputer network system 1, FIG. 3 shows an aspect of communicationbetween a second GW and a client, and FIG. 4 shows an aspect duringsecurity measure communication.

In the computer network system 1, assignment of IP addresses andfollowing communications (1) to (3) using the IP addresses assigned areperformed by those components.

(1) As shown in FIG. 2, in the network 100, when there is no securityabnormality such as viral infection, the first GW server 28 and theclient computers 10 are assigned IP addresses (second IP addresses,general-purpose IP addresses) with netmasks (second netmasks,general-purpose netmasks) having the same number of bits (e.g. 24 bits).

In this case, in the computer network system 1, the first GW server 28and the client computers 10 are allowed to perform communication withother arbitrary nodes by using an IP address with a 24-bit netmask (withwhich communications with 256 other nodes at the maximum is possible).

Consequently, one or more of the following communications are performed(normal communication):

(a) communication between the arbitrary client computers 10;

(b) communication between the client computers 10 and the first GWserver 28;

(c) communication between client computers 10 via the first GW server28;

(d) communication between the client computers 10 and the specific node18; and

(e) communication between the client computers 10 and the specific node18 via the first GW server 28.

(2) As shown in FIG. 3, in the computer network system 1, whenabnormality such as viral infection occurs, provision of a service isnecessary such as addition or replacement of software of all the clientcomputers 10, or the like, each of the client computers 10 issequentially assigned an IP address (a first IP address, a specific IPaddress) with a netmask (a first netmask, a specific netmask; e.g., 30bits), with which communication with only the second GW server 3 ispossible, while the assignment of the IP address to the first GW server28 is kept.

In this case, in the computer network system 1, the second GW server 3is allowed to perform communication with all the other nodes by using anIP address with a 22-bit netmask. Each of the client computers 10 isallowed to perform communication with the second GW server 3 andcommunication with the other nodes via the second GW server 3 by usingan IP address with a 30-bit netmask (with which communications with onlyone other node is possible).

Consequently, in the computer network system 1, one or more of thefollowing communications are performed:

(b) communication between the client computers 10 and the second GWserver 3;

(c) communication between the client computers 10 via the second GWserver 3; and

(e) communication between the client computers 10 and the specific node18 (the security measure server 4 may be included. The same applies inthe following description) via the second GW server 3.

Further, inhibited (communication between the second GW server and theclient) are:

(a) communication between the arbitrary client computers 10 without anintervention of the second GW server 3; and

(d) communication between the client computers 10 and the specific node18 without an intervention of the second GW server 3.

(3) As shown in FIG. 4, in the computer network system 1, whenabnormality such as viral infection occurs, each of the client computers10 is assigned an IP address with a netmask (e.g., 30 bits), with whichcommunicate with only the security measure server 4 via the second GWserver 3 is possible, while the assignment of the IP address to thefirst GW server 28 is kept.

In this case, in the computer network system 1, the second GW server 3is allowed to perform communication with all the client computers 10 byusing an IP address with a 22-bit netmask (with which communicationswith 1021 other nodes at the maximum is possible).

On the other hand, in this case, each of the client computers 10 isallowed to only perform communication with the security measure server 4via the second GW server 3 by using an IP address with a 30-bit netmask(with which communications with only one other node is possible).

Consequently, only performed is:

(f) communication between each of the client computers 10 and thesecurity measure server 4 via the second GW server 3.

Security measures are applied to all the client computers 10simultaneously (during security measure communication).

Note that, it is possible to provide the client computers 10 withvarious functions by replacing the security measure server 4 withvarious nodes that provide other functions such as a data server or aprogram server or including servers that provide various functions inthe specific node 18.

However, to embody and clarify the explanation, hereinafter a specificexample is provided in which the computer network system 1 provides theclient computers 10 with only the security measure function.

Similarly, the number of bits of a netmask can take values other than 24and 30. In the following explanation, a specific example is provided inwhich: the number of bits of netmasks attached to IP addresses assignedto the client computers 10 during the normal communication (FIG. 2) is24; the number of bits of netmasks attached to IP addresses assigned tothe client computers 10 during other communication (FIGS. 3 and 4) is30; the number of bits of a netmask attached to an IP address assignedto the first GW server 28 is always 24; and the number of bits of anetmask attached to an IP address assigned to the second GW server 3 isalways 22.

Similarly, in the following explanation, a specific example is providedin which only the normal communication shown in FIG. 2 or the securitymeasure communication shown in FIG. 4 is performed in the computernetwork system 1.

(Hardware)

FIG. 5 is a diagram illustrating a hardware configuration of the DHCPserver 2, the first GW server 28, the second GW server 3, the securitymeasure server 4, the security check server 5, the client computer 10,and the other nodes 18 shown in FIG. 1.

As shown in FIG. 5, each of the nodes of the computer network system 1is configured by a computer main body 120 including a CPU 122 and amemory 124, a display and input device 126 including a display device, akeyboard, and the like, a communication device 128 that performscommunication with other nodes via the network 100, and a recordingdevice 130 such as an HD device or a CD device.

In other words, each of the nodes of the computer network system 1includes components as computers capable of communicating with the othernodes via the networks 100 and 102.

(Programs)

Programs executed in each of the nodes of the computer network system 1will be hereinafter explained.

The following programs are, for example, supplied to each of the nodesvia the recording medium 132 (FIG. 5), loaded to the memory 124, andexecuted on an operating system (OS), which generally operates in eachof the nodes, by specifically using hardware of each of the nodes.

(Client Program 14)

FIG. 6 is a diagram showing a client program 14 which operates in theclient computer 10 shown in FIG. 1.

As shown in FIG. 6, the client program 14 includes a DHCP client section140, a communication processing section 150, an application program (AP)160, and a user interface (UI) section 162.

The client program 14 is assigned an IP address from the DHCP server 2,performs communication with the other nodes, and provides a user withvarious functions using those components.

In the client program 14, the DHCP client section 140 realizes afunction of a general DHCP client according to the DHCP.

The DHCP client section 140 requests the client program 14 to assign anIP address and receives an IP address and a netmask (a 24-bitgeneral-purpose netmask) of the IP address assigned by the DHCP server 2in response to this request.

The DHCP client section 140 requests the DHCP server 2 to reassign an IPaddress at a predetermined period (e.g., every several minutes) inaccordance with a setting by the DHCP server 2 and is assigned an IPaddress and a netmask (a general-purpose netmask during the normalcommunication (FIG. 2) or a 30-bit specific netmask during the othercommunication (during the security measure communication; FIG. 4) of theIP address reassigned by the DHCP server 2 in accordance with thisrequest.

The DHCP client section 140 further receives, other than an IP addressand a netmask of the IP address, information necessary for communicationin the computer network system 1 such as an IP address of the DHCPserver 2, IP addresses of the first GW server 28 and the second GWserver 3, an interval of a reassignment request, and an IP address ofthe DNS server, from the DHCP server 2.

Those pieces of information received by the DHCP client section 140 fromthe DHCP server 2 are outputted to the communication processing section150 and used for communication with the other nodes.

The communication processing section 150 performs communication with theother nodes in the aspects shown in FIGS. 2 to 4 using the IP addressand the netmask of the IP address inputted from the DHCP client section140.

In the client computer 10, the communication processing section 150performs communication with the other arbitrary nodes as shown in FIG. 2when the number of bits of the netmask inputted from the DHCP clientsection 140 is 24.

Alternatively, in the client computer 10, the communication processingsection 150 performs communication with the client computers 10 and thesecurity measure server 4 via the DHCP server 2 in the mode shown inFIG. 4 when the number of bits of the netmask inputted from the DHCPclient section 140 is 30.

The AP 160 provides the user with application functions such as a Webbrowser and a word processor.

The UI section 162 accepts operation by the user on the display andinput device 126 (FIG. 5) or the like and outputs the operation of theuser accepted to the other components.

The UI section 162 controls processing by the other components inaccordance with the operation accepted.

The UI section 162 displays information obtained as a result of theprocessing by the other components on the display and input device 126and indicates the information to the user.

(DHCP Program 20)

FIG. 7 is a diagram showing a DHCP server program 20 which operates inthe DHCP server 2 shown in FIG. 1.

As shown in FIG. 7, the DHCP server program 20 includes a UI section162, a communication changeover control 200, acontrol-during-security-measure section 210, acontrol-during-normal-communication section 212, a DHCP-serverprocessing section 22, and a communication processing section 150.

The DHCP server section 22 includes a DHCP-server processing section220, a network managing section 230, a network database (a network DB)232, an IP-address managing section 240, an IP address DB 242, a netmaskmanaging section 250, a netmask table 252, a reassignment-periodmanaging section 260, and a reassignment period DB 262.

The DHCP server 20 provides each of the nodes of the computer networksystem 1 with functions of a general DHCP server according to the DHCPusing these components.

In other words, the DHCP server program 20 assigns a general-purpose IPaddress with a 24-bit general-purpose netmask to the client computer 10when the normal communication (FIG. 2) is performed in the computernetwork system 1 and when the security measure (FIG. 4) is successfullycompleted in the computer network system 1.

The DHCP server program 20 connects all the client computers 10 to thesecurity measure server 4 via the second GW server 3 and causes thesecurity measure server 4 to perform a security measure for the clientcomputers 10 when the security measure communication (FIG. 4) isperformed in the computer network system 1.

In the DHCP server program 20, the communication changeover controlsection 200 boots up the control-during-normal-communication section 212when the normal communication (FIG. 2) is performed in the computernetwork system 1.

The communication changeover control section 200 boots up thecontrol-during-security-measure section 210 when the security measurecommunication (FIG. 4) is performed in the computer network system 1.

Examples of timing for the communication changeover control section 200to boot up the control-during-security-measure section 210 include:

(1) a case where operation for performing a security measure isperformed in the computer network system 1 by a user (an administratorof the computer network system 1) of the DHCP server 2; and

(2) a case where detection of specific vulnerability on security in thecomputer network system 1 is notified from the security check server 5.

Examples of timing for the communication changeover control section 200to boot up the control-during-normal-communication section 212 include:

(1) a case where operation for completing a security measure in thecomputer network system 1 is performed by the user of the DHCP server 2;and

(2) a case where acceptance in a security check in the computer networksystem 1 is notified from the security check server 5.

When the control-during-security-measure section 210 is booted up by thecommunication changeover control section 200, thecontrol-during-security-measure section 210 controls the DHCP serversection 22 to reassign a specific IP address with a specific netmask toeach of the client computers 10 in the case of reassignment of IPaddresses.

When the control-during-normal-communication section 212 is booted up bythe communication changeover control section 200, thecontrol-during-normal-communication section 212 controls the DHCP serversection 22 to assign a general-purpose IP address with a general-purposenetmask to each node in the computer network system 1.

The network managing section 230 manages information on the computernetwork system 1 used for DHCP processing and stores the information inthe network DB 232.

The network managing section 230 provides the information on thecomputer network system 1 stored in the necessity of processing in theDHCP server processing section 220.

The IP-address managing section 240 stores an IP address, which can beassigned or reassigned to each of the nodes of the computer networksystem 1, in the IP address DB 242 and manages the IP address stored.

The IP-address managing section 240 provides the IP address stored inthe necessity of processing in the DHCP-server processing section 220.

The netmask managing section 250 stores a general-purpose netmask usedduring the normal communication and a specific netmask used during thesecurity measure communication in the netmask table 252 and manages thenetmasks.

The netmask managing section 250 provides the netmasks stored in thenecessity of processing in the DHCP server processing section 220.

The reassignment-period managing section 260 stores a reassignmentperiod for an IP address set for each of the nodes of the networkcomputer system 1 in the reassignment period DB 262 and manages thereassignment period stored.

The reassignment-period managing section 260 provides the netmasksstored in the necessity of processing in the DHCP server processingsection 220.

The DHCP-server processing section 220 performs assignment of an IPaddress to each of the nodes of the computer system 1 using informationprovided from the network managing section 230, the IP-address managingsection 240, the netmask managing section 250, and thereassignment-period managing section 260 in accordance with the controlby the control-during-security-measure section 210 or thecontrol-during-normal-communication section 212.

Similarly, the DHCP-server processing section 220 performs assignmentand reassignment of the general-purpose IP address to each of the clientcomputer 10 in accordance with the control by thecontrol-during-normal-communication section 212.

The DHCP-server processing section 220 performs reassignment of thespecific IP address to the client computer 10 in accordance with thecontrol by the control-during-security-measure section 210.

The DHCP-server processing section 220 performs setting of a period ofreassignment of an IP address to each of the nodes of the computernetwork system 1, notification of IP addresses of the first GW server28, the second GW server 3, and the DHCP server 2 to the client computer10, notification of an IP address of the DNS server to each of the nodesof the computer network system 1, and the like.

FIG. 8 is a flowchart showing processing (S10) by the DHCP serverprogram 20 shown in FIG. 7.

As shown in FIG. 8, in Step 100 (S100), the communication changeovercontrol section 200 of the DHCP server 2 judges whether a securitymeasure in the computer network system 1 is required according tooperation by the user of the DHCP server 2 or notification from thesecurity check server 5.

In a case where the security measure is required, the DHCP serverprogram 20 proceeds to processing in S102. In other cases, the DHCPserver program 20 proceeds to processing in S110.

In Step 102 (S102), the communication change over control section 200 ofthe DHCP server 2 judges whether the security measure in the computernetwork system 1 is completed according to operation by the user of theDHCP server 2 or completion of processing in the security check server5.

In a case where the security measure is completed, the DHCP serverprogram 20 proceeds to processing in S110. In other cases, the DHCPserver program 20 proceeds to processing in S104.

In Step 104 (S104), the communication changeover control section 200boots up the control-during-security-measure section 210.

The control-during-security-measure section 210 controls the DHCP serversection 22 to perform assignment of an IP address (a specific IPaddress) used for the security measure to the client computer 10.

In Step 110 (S110), the communication changeover control section 200boots up the control-during-normal-communication section 212.

The control-during-normal-communication section 212 controls the DHCPserver section 22 to perform assignment and reassignment of an IPaddress (a general-purpose IP address) used for normal communication tothe client computer 10.

Note that, the processing by the DHCP server program 20 shown in FIG. 8is not only uniformly applied to all the client computers 10 but alsoselectively applied to a part of the client computers 10.

(GW Server Program 30)

FIG. 9 is a diagram showing a GW server program 30 which operates in thesecond GW server 3 shown in FIG. 1.

As shown in FIG. 9, the GW server program 30 includes a communicationprocessing section 150, a UI section 162, a communication changeovercontrol section 300, a control-during-normal-communication section 312,a control-during-security-measure section 310, and a GW server section32.

The GW server section 32 includes a GW-server processing section 320, anetwork managing section 330, a network DB 332, an IP-address managingsection 340, an IP address DB 342, a netmask managing section 350, and anetmask table 352.

The GW server program 30 connects the client computer 10 and thesecurity measure server 4 and causes the client computer 10 and thesecurity measure server 4 to perform communication during anti-viruscommunication.

In the GW server program 30, the communication changeover controlsection 300 boots up the control-during-security-measure section 310when the security measure communication (FIG. 4) is performed in thecomputer network system 1.

Timing for the communication changeover control section 300 to boot upthe control-during-security-measure section 310 is the same as thetiming for the communication changeover control section 200 of the DHCPserver program 20 (FIG. 7) to start the control-during-security-measuresection 210.

When the control-during-security-measure section 310 is booted up by thecommunication changeover control section 300, thecontrol-during-security-measure section 310 controls the GW serversection 32 to provide the client computer 10 with functions requiredduring the security measure communication.

The network managing section 330 manages information on the computernetwork system 1 used for processing and the like as those by a GWserver and stores the information in the network DB 332.

The network managing section 330 provides the information on thecomputer network system 1 stored in the necessity of processing in theGW-server processing section 320.

The IP-address managing section 340 stores an IP address assigned to theGW client computer 10 and used for the processing and the like as thoseby the GW server in the IP address DB 342 and manages the IP addressstored.

The IP-address managing section 340 provides the IP address stored inthe necessity of processing in the GW-server processing section 320.

The netmask managing section 350 stores a general-purpose netmask usedduring normal communication and a specific netmask used duringanti-virus communication and manages the netmasks.

The netmask managing section 350 provides the netmasks stored in thenecessity of processing in the GW-server processing section 320.

In accordance with the control by the control-during-security-measuresection 310, the GW-server processing section 320 provides, asappropriate, the client computer 10 with, other than processing and thelike necessary for connecting the client computer 10 and the securitymeasure server 4, other functions necessary to serve as a firewall, adatabase, a program server, and the like.

(Security Measure Program 40)

FIG. 10 is a diagram showing a security measure program 40 whichoperates in the security measure server 4 shown in FIG. 1.

As shown in FIG. 10, the security measure program 40 includes acommunication processing section 150, a UI section 162, a securitymeasure section 400, a network managing section 430, a network DB 432,an IP-address managing section 440, and an IP address DB 442.

The security measure program 40 takes a security measure for the clientcomputer 10 during the security measure communication (FIG. 4) in thecomputer network system 1 using those components.

The network managing section 430 manages information on the computernetwork system 1 used for the security measure and stores theinformation in the network DB 432.

The network managing section 430 provides the information on thecomputer network system 1 stored in the necessity of processing in thesecurity measure section 400.

The IP-address managing section 440 stores an IP address assigned to theGW client computer 10 and used for the security measure in the IPaddress DB 442 and manages the IP address stored.

The IP-address managing section 340 provides the IP address stored inthe necessity of processing in the security measure section 400.

The security measure section 400 is sequentially connected to andperforms communication with the client computers 10 and takes a securitymeasure for the client computers 10 during the security measurecommunication (FIG. 4).

The examples of functions for the security measure provided by thesecurity measure section 400 includes the following functions asdescribed in the items (1) to (5):

(1) installation of an OS security measure patch and a hot fix to theclient computers 10;

(2) update of database for viral infection check for the clientcomputers 10;

(3) removal of a virus infecting the client computers 10;

(4) restoration of a program, data, and the like of the client computers10 adversely affected by the virus; and

(5) update of the AP 160 that causes viral infection.

(Security Measure Program 50)

FIG. 11 is a diagram showing a security measure program 50 whichoperates in the security measure server 5 shown in FIG. 1.

As shown in FIG. 11, the security measure program 50 includes acommunication processing section 150, a UI section 162, a securitymeasure section 500, an other-nodes control section 510, a networkmanaging section 530, a network DB 532, an IP-address managing section540, and an IP address DB 542.

The security measure program 50 constantly performs security check(e.g., detection of computer virus) with respect to the client computer10 in the computer network system 1 using those components.

In the security check program 50, the communication processing section150 receives security related information from the client computers 10and notifies the security check section 500 of the security relatedinformation.

The security check section 500 periodically processes the securityrelated information received from the communication processing section150 and performs security check for the client computers 10.

Further, the security check section 500 notifies the other-nodes controlsection 510 whether a problem (viral infection, etc.) on security isdetected in one or more of the client computers 10 (rejection in thesecurity check) or there is no problem on security in all the clientcomputers 10 (acceptance in the security check) according to thesecurity check.

The other-nodes control section 510 controls the DHCP server 2, thesecond GW server 3, and the anti-virus server 4 to perform processingfor a security measure or processing for completion of the securitymeasure according to operation by the user on the security check server5 or a result of the security check by the security check section 500.

(Overall Operations of the Computer Network System 1)

Overall operations of the computer network system 1 will be hereinafterexplained.

(During Normal Communication)

FIG. 12 is a communication sequence diagram showing an operation (S12)during the normal communication (FIG. 2) in the computer network system1 shown in FIG. 1.

In Steps 130-1 to 130-n (S130-1 to S130-n), the client computers 10-1 to10-n sequentially request the DHCP server 2 to assign IP addresses.

In Steps 132-1 to 132-n (S132-1 to S130-n), the DHCP server 2sequentially assigns general-purpose IP addresses to the clientcomputers 10-1 to 10-n.

The first GW server 28 and the client computers 10 perform communicationwith other arbitrary nodes using the general-purpose IP addressesassigned by the DHCP server 2.

(When Security Measure Starts)

FIG. 13 is a communication sequence diagram showing an operation (S14)at the start of the security measure communication (FIG. 4) in thecomputer network system 1 shown in FIG. 1.

As shown in FIG. 13, in Steps 140 and 142 (S140 and S142), for example,when the security check for the client computer 10 ended in rejection,the security check server 5 notifies the DHCP server 2 and the second GWserver 3 of start of a security measure.

In Steps 150-1 to 150-n (S150-1 to S150-n), the client computers 10-1 to10-n assigned the general-purpose IP addresses according to theprocessing in S12 sequentially request the DHCP server 2 to reassign IPaddresses.

In Steps 152-1 to 152-n (S152-1 to S152-n), the DHCP server 2sequentially assigns specific IP addresses to the client computers 10-1to 10-n.

The client computers 10 reassigned the specific IP addresses performcommunication with the security measure server 4 via the second GWserver 3 and subjected to a security measure by the security measureserver 4.

(When Security Measure Completes)

FIG. 14 is a communication sequence diagram showing an operation (S18)at the completion of the security measure communication (FIG. 4) in thecomputer network system 1 shown in FIG. 1.

As shown in FIG. 14, in Steps 180 and 182 (S180 and S182), the securitycheck server 5, which has judged that the client computers 10 areaccepted in a security check, notifies the DHCP server 2 and the secondGW server 3 of completion of a security measure.

In Steps 190-1 to 190-n (S190-1 to S190-n), the client computers 10-1 to10-n assigned the specific IP addresses according to the processing inS14 sequentially request the DHCP server 2 to reassign IP addresses.

In Steps 192-1 to 192-n (S192-1 to S192-n), the DHCP server 2sequentially assigns general-purpose IP addresses to the clientcomputers 10-1 to 10-n.

The client computers 10 reassigned the general-purpose IP addressesresume communication with other arbitrary nodes.

INDUSTRIAL APPLICABILITY

The present invention can be used for assignment of IP addresses,anti-virus measures, and the like in a computer network.

1. A computer system, in which communication is performed using a firstIP address with a first netmask having a predetermined number of bitsand a second IP address with a second netmask having a number of bitsdifferent from that of the first netmask, the computer systemcomprising: one or more first nodes for performing communication usingthe first IP address or the second IP address in a network to which thefirst netmask and the second netmask are applied; one or more secondnodes for performing communication using the second IP address andperforming communication control among the first nodes; a third node forselectively assigning the first IP address or the second IP address tothe first node; and a fourth node for performing communication with thefirst nodes, wherein: the first IP address is an IP address used forcommunication between each group including one or more of the firstnodes, and the fourth node; the second IP address is an IP address forcommunication between arbitrary one of the first nodes and the secondnodes; the first nodes communicate with the fourth node using the firstIP address assigned thereto; wherein the fourth node is a second gatewayserver for applying communication control for a security measure to thefirst nodes; and wherein, in a case where the communication control forthe security measure for the first node is performed by the secondgateway server, the third node assigns the first IP address with a firstnetmask having a number of bits smaller than the second netmask to thefirst nodes the second nodes communicate with arbitrary one of the firstnodes using the second IP address assigned thereto.
 2. The computersystem according to claim 1, wherein: the first nodes are networkcomputers; the second nodes are first gateway servers; and the thirdnode is a DHCP server.
 3. The computer system according to claim 1,further comprising a fifth node for performing communication with thefirst nodes via the fourth node, wherein the first nodes further performcommunication with the fifth node via the fourth node using the first IPaddress assigned.
 4. The computer system according to claim 3, whereinthe fifth node provides the first nodes with a predetermined functionvia the fourth node.
 5. The computer system according to claim 4,wherein: the first nodes request the third node to assign IP addressesat a predetermined time interval; and the third node assigns the firstIP address or the second IP address to the first nodes for requestingassignment of IP addresses.
 6. An IP address assigning apparatus forselectively assigning, in a computer system in which communication isperformed using a first IP address with a first netmask having apredetermined number of bits and a second IP address with a secondnetmask having a number of bits different from that of the firstnetmask, the first IP address or the second IP address, wherein: thecomputer system includes: one or more first nodes for requestingreassignment of IP addresses at predetermined timing and performingcommunication using the first IP address or the second IP addressassigned in response to this request, in a network to which the firstnetmask and the second netmask are applied; one or more second nodes forperforming communication using the second IP address and performingcommunication control among the first nodes; and a fourth node forperforming communication with the first nodes; the first IP address isan IP address used for communication between each group including one ormore of the first nodes, and the fourth node; the second IP address isan IP address for communication between arbitrary one of the first nodesand the second nodes; the first nodes communicate with the fourth nodeusing the first IP address assigned thereto; the second nodescommunicate with arbitrary one of the first nodes using the second IPaddress assigned thereto; and the IP address assigning apparatuscomprises: assigning means for assigning the second IP address to eachof the first nodes; and reassigning means for, in response to requestsfor reassignment of IP addresses from the first nodes, to the firstnodes which have requested the reassignment of IP addresses, reassigningthe first IP address in a case where the fourth node and the first nodescommunicate with each other, and reassigning the second IP address inother cases.
 7. The IP address assigning apparatus according to claim 6,wherein the reassigning means sequentially reassigns, in response to therequest for reassignment of IP addresses from the communication node,the specific IP address to all the communication nodes in a case wherethe communication between the specific nodes and the communication nodesis performed.
 8. A communication method of performing communication in anetwork using a first IP address with a first netmask having apredetermined number of bits and a second IP address with a secondnetmask having a number of bits different from that of the firstnetmask, wherein: the network includes first to fourth nodes each ofwhich being one or more nodes; the first IP address is an IP addressused for communication between each group including one or more of thefirst nodes, and the fourth nodes; the second IP address is an IPaddress for communication between arbitrary one of the first nodes andthe second nodes; the third nodes selectively assign the first IPaddress or the second IP address to the first nodes; each of the firstnodes performs communication with the fourth nodes using the first IPaddress assigned thereto and communicates with the second nodes usingthe second IP address assigned thereto; wherein the fourth node is asecond gateway server for applying communication control for a securitymeasure to the first nodes; and wherein, in a case where thecommunication control for the security measure for the first node isperformed by the second gateway server, the third node assigns the firstIP address with a first netmask having a number of bits smaller than thesecond netmask to the first nodes each of the second nodes communicateswith arbitrary one of the first nodes using the second IP address.
 9. AnIP address assigning method of selectively assigning, in a computersystem in which communication is performed using a first IP address witha first netmask having a predetermined number of bits and a second IPaddress with a second netmask having a number of bits different fromthat of the first netmask, the first IP address or the second IPaddress, wherein: the computer system includes: one or more first nodesfor requesting reassignment of IP addresses at predetermined timing andperforming communication using the first IP address or the second IPaddress assigned in response to this request, in a network to which thefirst netmask and the second netmask are applied; one or more secondnodes for performing communication using the second IP address andperforming communication control among the first nodes; and a fourthnode for performing communication with the first nodes; the first IPaddress is an IP address used for communication between each groupincluding one or more of the first nodes, and the fourth node; thesecond IP address is an IP address for communication between arbitraryone of the first nodes and the second nodes; the first nodes communicatewith the fourth node using the first IP address assigned thereto; thesecond nodes communicate with arbitrary one of the first nodes using thesecond IP address assigned thereto; and the IP address assigning methodcomprises: assigning the second IP address to each of the first nodes;and in response to requests for reassignment of IP addresses from thefirst nodes, to the first nodes which have requested the reassignment ofIP addresses, reassigning the first IP address in a case where thefourth node and the first nodes communicate with each other, andreassigning the second IP address in other cases.
 10. A program storedon a memory and executed by a processor for performing communication ina network using a first IP address with a first netmask having apredetermined number of bits and a second IP address with a secondnetmask having a number of bits different from that of the firstnetmask, wherein: the network includes first to fourth nodes each ofwhich being one or more nodes; the first IP address is an IP addressused for communication between each group including one or more of thefirst nodes, and the fourth nodes; the second IP address is an IPaddress for communication between arbitrary one of the first nodes andthe second nodes; and the program causes a computer to execute the stepsof: selectively assigning, by the third nodes, the first IP address orthe second IP address to the first nodes; performing, by each of thefirst nodes, communication with the fourth nodes using the first IPaddress assigned thereto and communication with the second nodes usingthe second IP address assigned thereto; and performing, by each of thesecond nodes, communication with arbitrary one of the first nodes usingthe second IP address wherein the fourth node is a second gateway serverfor applying communication control for a security measure to the firstnodes; and wherein, in a case where the communication control for thesecurity measure for the first node is performed by the second gatewayserver, the third node assigns the first IP address with a first netmaskhaving a number of bits smaller than the second netmask to the firstnodes.
 11. A program stored on a memory and executed by a processor foran IP address assigning method of selectively assigning, in a computersystem in which communication is performed using a first IP address witha first netmask having a predetermined number of bits and a second IPaddress with a second netmask having a number of bits different fromthat of the first netmask, the first IP address or the second IPaddress, wherein: the computer system includes: one or more first nodesfor requesting reassignment of IP addresses at predetermined timing andperforming communication using the first IP address or the second IPaddress assigned in response to this request, in a network to which thefirst netmask and the second netmask are applied; one or more secondnodes for performing communication using the second IP address andperforming communication control among the first nodes; and a fourthnode for performing communication with the first nodes; the first IPaddress is an IP address used for communication between each groupincluding one or more of the first nodes, and the fourth node; thesecond IP address is an IP address for communication between arbitraryone of the first nodes and the second nodes; the first nodes communicatewith the fourth node using the first IP address assigned thereto; thesecond nodes communicate with arbitrary one of the first nodes using thesecond IP address assigned thereto; and the program causes a computer toexecute the steps of: assigning the second IP address to each of thefirst nodes; and in response to requests for reassignment of IPaddresses from the first nodes, to the first nodes which have requestedthe reassignment of IP addresses, reassigning the first IP address in acase where the fourth node and the first nodes communicate with eachother, and reassigning the second IP address in other cases.